Microsoft Office files, especially Excel and Word files, have been targeted by some cybercriminals for quite some time now. Through various techniques, attackers have used embedded Visual Basic for Applications macros to infect computers with various types of malware for cyber crime and cyber espionage.
In most cases, users still had to click their agreement when executing code in those applications, but some social engineering tricks have tricked unsuspecting victims into clicking and allowing the execution of the malicious macros themselves. Direct exploitation of vulnerabilities without user intervention is also possible to launch malware.
TO SEE: Mobile device security policies (Tech Republic Premium)
Jump to:
.XLL malicious exploit in the wild
As new research from Cisco Talos shows, threat actors can use event handling functions in Excel files to automatically launch .XLL files. The most common method to achieve this is to run the malicious code when the Excel add-in manager calls the xlAutoOpen or xlAutoClose functions.
Cisco Talos researchers used specific queries in VirusTotal to find and serve malicious .XLL files CHILDREN rules to hunt such files. They separated native .XLL samples built with the usual Microsoft .XLL SDK and samples generated using the ExcelDNA framework, as it is free and usually most commonly used by threat actors (Image A).
Image A
The charts above show that threat actors exploited .XLL file vulnerabilities long before Microsoft started blocking documents containing VBA macros.
The Cisco Talos researchers determined that no potentially harmful samples had been submitted until July 2017. The first .XLL payload found on the VirusTotal platform launched calc.exe, a common testing method for penetration testers and cybercriminals. The second example, submitted in the same month, launched a Meterpreter reverse shell, which can be used for penetration testing or malicious intent.
After that activity, .XLL files started appearing sporadically, but the number only increased in late 2021 when notorious malware families like Dridex and FormBook started using it.
Which Threat Actors Abuse .XLL Files?
Several attackers are now using .XLL files to infect computers.
APT10, also known as Red Apollo, menuPass, Stone Panda or Potassium, is a cyber-espionage threat actor who has been active since 2006 and has ties to China’s Ministry of State Security, according to the Department of Justice.
In December 2017, the researchers found a file that uses .XLL to inject a malware exclusive to APT10 called Anel.
TA410 is another threat actor that targets US utilities and diplomatic organizations and is loosely associated with APT10. They use a toolkit that also includes a .XLL stage discovered in 2020.
The DoNot team targeting Kashmiri nonprofits and Pakistani government officials also seemed to be using this method: An .XLL file containing two export files, the first called pdteong and the second xlAutoOpen, turns it into a fully functional .XLL file. payload from. The export name pdteong is used exclusively by the DoNot team.
Fin7 is a cybercriminal threat actor operating out of Russia. In 2022, the threat actor started using .XLL files sent as attachments in malicious email campaigns. When those files run, they act as downloaders for the next stage of infection.
However, the biggest spike in .XLL detections in VirusTotal comes mainly from Dridex malware campaigns. These .XLL files are used as downloaders for the next infection stage, which is chosen from a large list of possible payloads accessible through the Discord software application.
The second most common charge is FormBook, an information thief available as a service for a cheap price online. It uses email campaigns to distribute the .XLL downloader, which picks up the next stage of infection – the FormBook malware itself.
A recent campaign by AgentTesla and Lokibot targeting Hungary abused .XLL files via email. The email pretended to be from Hungarian police forces (Figure B).
Figure B
The text was translated by Cisco Talos:
“We are the Division VII of the Budapest District Police.
We have heard about the excellence of your company. Our center needs your quote for our 2022 budget (attached). The budget is co-financed by the Ministry of the Interior of our Hungarian government. Submit your bid before August 25, 2022. Find the attachment and let us know if you need more information.”
In addition, the Ducktail malware, an information-stealing malware executed by a threat actor operating in Vietnam, uses .XLL. The threat actor used a file called “Details of Project Marketing Plan and Facebook Google Ads Results Report.xll” to infect its targets with the Ducktail malware.
Standard Microsoft Office behavior changes for the better
To help fight infections through the use of VBA macros, Microsoft has decided to change the default behavior of its Office products to block macros in files downloaded from the Internet.
Office add-ins are pieces of executable code that can be added to Office applications to enhance functionality or improve the appearance of the application. Office add-ins can contain VBA code or modules that embed compiled functionality in .NET bytecode. This can be in the form of COM servers or a Dynamic Link Library renamed with a specific file extension.
Add-ins for the Microsoft Word application must be in a location specified by a registry value, depending on the Office version. A file placed in that folder with a .WLL file extension is loaded into the Word process space.
For Microsoft Excel, any file with an .XLL extension clicked on by the user will automatically attempt to run Excel as the opener for the .XLL file. In any case, the Excel software will trigger a display message about possible malware or security vulnerabilities, but this is ineffective with general users, who often ignore such warnings.
.XLL add-ins are generally developed in the C/C++ programming language using the Microsoft Excel .XLL Software Development Kit, but some frameworks, such as Add-In Express and Excel DNA, allow the use of . NET languages such as C# or VB. NET.
How to protect against the .XLL security threat
The use of .XLL files is not widespread in corporate environments; companies that don’t need it should block any attempt to run .XLL files in their environment. If your company allows the use of .XLL files, careful monitoring of endpoints and servers should be done to detect and investigate suspicious activity.
By default, email gateways are not allowed to accept .XLL files and raise awareness among business users. If they see a warning message from Excel about add-ins running and don’t know why this is happening, they should not allow the run and call their IT/Security department.
This one safety awareness and training policy and Templates for IT email security alerts from TechRepublic Premium are great resources to help prevent a cybersecurity disaster from striking.
Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.
